On Tue, Nov 30, 2004 at 07:15:44AM -0800, Eric Rescorla wrote:

> SSL has all three of these modes, actually, so perhaps the question
> you want to ask is why noone uses #3. The main argument against it is
> that it's about half as fast (on the server) in the best case because
> you need to do both a signature and a key exchange operation.
> On the client it's *much* slower because RSA public-key encryption
> is very fast (private-key decryption is much slower). 

The third mode is quite common for STARTTLS with SMTP if I am not
mistaken. A one day sample of inbound TLS email has the following cipher

8221    (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
6529    (using TLSv1 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
 186    (using SSLv3 with cipher DHE-RSA-AES256-SHA (256/256 bits))
 117    (using TLSv1 with cipher RC4-SHA (128/128 bits))
  59    (using SSLv3 with cipher RC4-SHA (128/128 bits))
  40    (using SSLv3 with cipher DES-CBC3-SHA (168/168 bits))
  28    (using TLSv1 with cipher RC4-MD5 (128/128 bits))
  16    (using SSLv3 with cipher EDH-RSA-DES-CBC3-SHA (168/168 bits))
  14    (using TLSv1 with cipher DES-CBC3-SHA (168/168 bits))
   1    (using SSLv3 with cipher RC4-MD5 (128/128 bits))
   1    (using SSLv2 with cipher DES-CBC3-MD5 (168/168 bits))

it is my perhaps misguided impression that the both the EDH and the DHE
cipher-suites provide PFS. Is there in fact a difference between EDH
and DHE?


 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to